Re: [PATCH] vmx/nested: Set the SGX feature flag only when hardware supported.
From: Huang, Kai
Date: Tue Mar 24 2026 - 06:25:55 EST
On Tue, 2026-03-24 at 11:27 +0800, 18341265598@xxxxxxx wrote:
> From: "zhaoge.zhang" <zhangzg12@xxxxxxxxxxxxxxx>
>
> If the hardware does not support the SGX feature and we set the
> corresponding flag, when the L1 hypervisor enables the corresponding
> feature in VMCS12, the VM entry will fail.
>
> Reported-by: wei xiaoqiong <weixq1@xxxxxxxxxxxxxxx>
> Signed-off-by: zhaoge.zhang <zhangzg12@xxxxxxxxxxxxxxx>
> Reviewed-by: Huaitong Han <hanht2@xxxxxxxxxxxxxxx>
> ---
> arch/x86/kvm/vmx/nested.c | 2 +-
> arch/x86/kvm/vmx/vmx.c | 11 -----------
> arch/x86/kvm/vmx/vmx.h | 11 +++++++++++
> 3 files changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 937aeb4..396ac07 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -7278,7 +7278,7 @@ static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
> msrs->secondary_ctls_high |=
> SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
>
> - if (enable_sgx)
> + if (enable_sgx && cpu_has_sgx())
> msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
> }
Are you seeing the case where enable_sgx is true but cpu_has_sgx() reports
false?
It's quite strange because during KVM load, if cpu_has_sgx() is false,
enable_sgx is guaranteed to be false.
The only case that I can think of is after KVM loads somehow machine check
happens, which "soft disables" SGX (CPUID reports SGX1 as 0).
Is this the case you are meeting?
[...]
> +/*
> + * There is no X86_FEATURE for SGX yet, but anyway we need to query CPUID
Btw, the "There is no X86_FEATURE for SGX yet" part is obviously obsolete
now.